Support AES256-encrypted values for sensitive parameters in configs, env variables etc. #45194
Open
2 tasks done
Labels
area:secrets
kind:feature
Feature Requests
needs-triage
label for new issues that we didn't triage yet
Comments
andrii-korotkov-verkada
added
kind:feature
andrii-korotkov-verkada
added a commit
to andrii-korotkov-verkada/airflow
that referenced
this issue
Dec 24, 2024
Implements support for `_ENCRYPTED` versions of env variables and `_encrypted` versions of config params. Those would be encrypted using a parameter `params_encryption_aes256_key` (which can be retrieved from a secret for example). The params encryption key itself doesn't support encrypted suffix, or it'd create an infinite recursion. closes: apache#45194 Signed-off-by: Andrii Korotkov <[email protected]>
andrii-korotkov-verkada
added a commit
to andrii-korotkov-verkada/airflow
that referenced
this issue
Dec 24, 2024
Implements support for `_ENCRYPTED` versions of env variables and `_encrypted` versions of config params. Those would be encrypted using a parameter `params_encryption_aes256_key` (which can be retrieved from a secret for example). The params encryption key itself doesn't support encrypted suffix, or it'd create an infinite recursion. closes: apache#45194 Signed-off-by: Andrii Korotkov <[email protected]>
andrii-korotkov-verkada
added a commit
to andrii-korotkov-verkada/airflow
that referenced
this issue
Dec 24, 2024
Implements support for `_ENCRYPTED` versions of env variables and `_encrypted` versions of config params. Those would be encrypted using a parameter `params_encryption_aes256_key` (which can be retrieved from a secret for example). The params encryption key itself doesn't support encrypted suffix, or it'd create an infinite recursion. closes: apache#45194 Signed-off-by: Andrii Korotkov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Support config values like
fernet_key_encrypted, env variables likeAIRFLOW__CORE__FERNET_KEY_ENCRYPTEDetc. AES256 is chosen since it's supported by Helm templates and is quite generic.Use case/motivation
The goal is to better support deploying manifests with ArgoCD or similar, where the manifests are stored in Git and thus can't contain secret values due to security reasons. Encrypted values can be stored though, so only the encryption key itself would have to be fetched from a secret, significantly reducing the operational overhead.
Related issues
#45171
Are you willing to submit a PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: